DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It's important for validating that the emails you send are legitimate, and it makes it harder for spammers and phishers to spoof your domain and emails before it even gets to your users' inbox.


Prerequisites

DMARC works by using your SPF and DKIM records. Before you set up your DMARC, you will need to make sure you have properly deployed your DKIM and SPF across ALL of your sending platforms.


If you use a custom sending domain and have not yet configured your DNS according to the BuyerGenomics specification, you can do so using this guide.


DMARC Configuration

When configuring your DNS, we strongly recommend adding a DMARC record if you do not already have one. When setting up/configuring your DMARC record, we recommend using the following tags (for which values will be provided from BuyerGenomics support):

  • v (Protocol version, usually v=DMARC1)
  • ruf (Reporting URI for forensic reports - usually ruf=mailto:BG_EMAIL, which will be provided for you)
  • rua (Reporting URI for aggregate reports - usually rua=mailto:BG_EMAIL, which will be provided for you)
  • p (Policy for the domain)
  • adkim (Alignment mode for DKIM)
  • aspf (Alignment mode for SPF)


If your organisation uses other DMARC tags, you can find the full list here.


When you are provided with the values for the above, the default policy provided will be "none". If you already have a DMARC record with a different policy, we recommend keeping that policy rather than changing it to none. 


DMARC Policies

While "none" is provided by default as the DMARC policy, we do recommend that you update the policy in the future. There are three different DMARC policies: 

  • "none"
  • "quarantine"
  • "reject"

Each of these policies have different behaviors, so it is important to understand what each one does before you change the policy.


Policy: None

With the "none" policy in place, the email receiver will not do anything with the mail you sent to them. The email provider will send the email to the inbox (or the promotions folder) as per usual. However, the provider will now also provide a DMARC report. This is the least secure of the policies, but allows domain managers to test their implementation before updating the DMARC policy.


Policy: Quarantine

The "quarantine" policy tells email receivers to put mail that fails the DMARC check (i.e., the mail that is not allowed to be sent on your behalf) into any special "quarantine" folders - like the spam or junk folders. You will also receive the DMARC report, same as above.


Policy: Reject

The "reject" policy tells the email receivers that the mail that fails the DMARC check should not even go into the spam or junk folders. Instead, the receivers bounce the email, and the email is never sent to any part of the receiver's mailbox. Again, like above, you will also receive a DMARC report. This is the most secure policy, but requires that your implementations are complete, verified, and up-to-date.